Fri Feb 20 09:32:07 2015 UTC ()
Fix SSL queue handling based on an upstream patch. PKGREVISION++

https://github.com/bumptech/stud/pull/130


(fhajny)
diff -r1.3 -r1.4 pkgsrc/security/stud/Makefile
diff -r1.1 -r1.2 pkgsrc/security/stud/distinfo
diff -r1.1 -r1.2 pkgsrc/security/stud/patches/patch-stud.c
cvs diff -r1.3 -r1.4 pkgsrc/security/stud/Attic/Makefile (expand / switch to unified diff)

--- pkgsrc/security/stud/Attic/Makefile 2014/09/23 14:26:35 1.3
+++ pkgsrc/security/stud/Attic/Makefile 2015/02/20 09:32:07 1.4
@@ -1,18 +1,18 @@ @@ -1,18 +1,18 @@
1# $NetBSD: Makefile,v 1.3 2014/09/23 14:26:35 fhajny Exp $ 1# $NetBSD: Makefile,v 1.4 2015/02/20 09:32:07 fhajny Exp $
2# 2#
3 3
4PKGNAME= stud-0.3p53 4PKGNAME= stud-0.3p53
5PKGREVISION= 2 5PKGREVISION= 3
6CATEGORIES= security 6CATEGORIES= security
7MAINTAINER= jym@NetBSD.org 7MAINTAINER= jym@NetBSD.org
8HOMEPAGE= http://github.com/bumptech/stud 8HOMEPAGE= http://github.com/bumptech/stud
9COMMENT= Scalable TLS Unwrapping Daemon 9COMMENT= Scalable TLS Unwrapping Daemon
10LICENSE= 2-clause-bsd 10LICENSE= 2-clause-bsd
11 11
12MASTER_SITES= http://rohara.fedorapeople.org/stud/ 12MASTER_SITES= http://rohara.fedorapeople.org/stud/
13DISTNAME= bumptech-stud-0.3-51-g0b88039 13DISTNAME= bumptech-stud-0.3-51-g0b88039
14WRKSRC= ${WRKDIR}/bumptech-stud-0b88039 14WRKSRC= ${WRKDIR}/bumptech-stud-0b88039
15 15
16USE_TOOLS+= gmake nroff pax:run 16USE_TOOLS+= gmake nroff pax:run
17 17
18BUILD_DEFS+= STUD_USER STUD_GROUP VARBASE 18BUILD_DEFS+= STUD_USER STUD_GROUP VARBASE
cvs diff -r1.1 -r1.2 pkgsrc/security/stud/Attic/distinfo (expand / switch to unified diff)

--- pkgsrc/security/stud/Attic/distinfo 2013/03/16 19:41:35 1.1
+++ pkgsrc/security/stud/Attic/distinfo 2015/02/20 09:32:07 1.2
@@ -1,9 +1,9 @@ @@ -1,9 +1,9 @@
1$NetBSD: distinfo,v 1.1 2013/03/16 19:41:35 jym Exp $ 1$NetBSD: distinfo,v 1.2 2015/02/20 09:32:07 fhajny Exp $
2 2
3SHA1 (bumptech-stud-0.3-51-g0b88039.tar.gz) = fad22d9cf008b7db8f30d8d7ca0a6fcc177714de 3SHA1 (bumptech-stud-0.3-51-g0b88039.tar.gz) = fad22d9cf008b7db8f30d8d7ca0a6fcc177714de
4RMD160 (bumptech-stud-0.3-51-g0b88039.tar.gz) = 66a186e1095fd127945802ab681f5948ee1d4011 4RMD160 (bumptech-stud-0.3-51-g0b88039.tar.gz) = 66a186e1095fd127945802ab681f5948ee1d4011
5Size (bumptech-stud-0.3-51-g0b88039.tar.gz) = 41000 bytes 5Size (bumptech-stud-0.3-51-g0b88039.tar.gz) = 41000 bytes
6SHA1 (patch-Makefile) = c0794c6ebb3bdc3d55b473acec674a9f98b03ffb 6SHA1 (patch-Makefile) = c0794c6ebb3bdc3d55b473acec674a9f98b03ffb
7SHA1 (patch-configuration.c) = 886226a104f84bac6902bb8a8593d37a25653563 7SHA1 (patch-configuration.c) = 886226a104f84bac6902bb8a8593d37a25653563
8SHA1 (patch-stud.8) = a6b36ab6ac8c65cbc70172a9c230b22965cbdc3d 8SHA1 (patch-stud.8) = a6b36ab6ac8c65cbc70172a9c230b22965cbdc3d
9SHA1 (patch-stud.c) = 9b11693619291925376f35f1443bbec83a1d798b 9SHA1 (patch-stud.c) = aae56a212de51dfec4c31a9f4318818a79a51dfd
cvs diff -r1.1 -r1.2 pkgsrc/security/stud/patches/Attic/patch-stud.c (expand / switch to unified diff)

--- pkgsrc/security/stud/patches/Attic/patch-stud.c 2013/03/16 19:41:36 1.1
+++ pkgsrc/security/stud/patches/Attic/patch-stud.c 2015/02/20 09:32:07 1.2
@@ -1,17 +1,19 @@ @@ -1,17 +1,19 @@
1$NetBSD: patch-stud.c,v 1.1 2013/03/16 19:41:36 jym Exp $ 1$NetBSD: patch-stud.c,v 1.2 2015/02/20 09:32:07 fhajny Exp $
2 2
3SunOS fixes as per https://github.com/bumptech/stud/pull/71. 3SunOS fixes as per https://github.com/bumptech/stud/pull/71.
4--- stud.c.orig 2012-08-15 10:33:39.000000000 +0000 4SSL fixes as per https://github.com/bumptech/stud/pull/130.
 5
 6--- stud.c.orig 2012-08-10 23:40:19.000000000 +0000
5+++ stud.c 7+++ stud.c
6@@ -189,9 +189,17 @@ typedef struct proxystate { 8@@ -189,9 +189,17 @@ typedef struct proxystate {
7  9
8 /* Set a file descriptor (socket) to non-blocking mode */ 10 /* Set a file descriptor (socket) to non-blocking mode */
9 static void setnonblocking(int fd) { 11 static void setnonblocking(int fd) {
10- int flag = 1; 12- int flag = 1;
11- 13-
12- assert(ioctl(fd, FIONBIO, &flag) == 0); 14- assert(ioctl(fd, FIONBIO, &flag) == 0);
13+ int flag; 15+ int flag;
14+#if defined(O_NONBLOCK) 16+#if defined(O_NONBLOCK)
15+ /* O_NONBLOCK is more portable and POSIX-standard */ 17+ /* O_NONBLOCK is more portable and POSIX-standard */
16+ flag = O_NONBLOCK; 18+ flag = O_NONBLOCK;
17+ assert (fcntl(fd, F_SETFL, flag) == 0); 19+ assert (fcntl(fd, F_SETFL, flag) == 0);
@@ -25,27 +27,58 @@ SunOS fixes as per https://github.com/bu @@ -25,27 +27,58 @@ SunOS fixes as per https://github.com/bu
25  27
26 /* set a tcp socket to use TCP Keepalive */ 28 /* set a tcp socket to use TCP Keepalive */
27@@ -203,9 +211,9 @@ static void settcpkeepalive(int fd) { 29@@ -203,9 +211,9 @@ static void settcpkeepalive(int fd) {
28 ERR("Error activating SO_KEEPALIVE on client socket: %s", strerror(errno)); 30 ERR("Error activating SO_KEEPALIVE on client socket: %s", strerror(errno));
29 } 31 }
30  32
31+#ifdef TCP_KEEPIDLE 33+#ifdef TCP_KEEPIDLE
32 optval = CONFIG->TCP_KEEPALIVE_TIME; 34 optval = CONFIG->TCP_KEEPALIVE_TIME;
33 optlen = sizeof(optval); 35 optlen = sizeof(optval);
34-#ifdef TCP_KEEPIDLE 36-#ifdef TCP_KEEPIDLE
35 if(setsockopt(fd, SOL_TCP, TCP_KEEPIDLE, &optval, optlen) < 0) { 37 if(setsockopt(fd, SOL_TCP, TCP_KEEPIDLE, &optval, optlen) < 0) {
36 ERR("Error setting TCP_KEEPIDLE on client socket: %s", strerror(errno)); 38 ERR("Error setting TCP_KEEPIDLE on client socket: %s", strerror(errno));
37 } 39 }
38@@ -1751,24 +1759,16 @@ void daemonize () { 40@@ -889,6 +897,13 @@ static void shutdown_proxy(proxystate *p
 41 close(ps->fd_up);
 42 close(ps->fd_down);
 43
 44+ // Clear the SSL error queue - it might contain details
 45+ // of errors that we haven't consumed for whatever reason.
 46+ // If we don't, future calls to SSL_get_error will lead to
 47+ // weird/confusing results that can throw off the handling
 48+ // of normal conditions like SSL_ERROR_WANT_READ.
 49+ ERR_clear_error();
 50+
 51 SSL_set_shutdown(ps->ssl, SSL_SENT_SHUTDOWN);
 52 SSL_free(ps->ssl);
 53
 54@@ -1197,7 +1212,15 @@ static void client_handshake(struct ev_l
 55 shutdown_proxy(ps, SHUTDOWN_SSL);
 56 }
 57 else {
 58- LOG("{%s} Unexpected SSL error (in handshake): %d\n", w->fd == ps->fd_up ? "client" : "backend", err);
 59+
 60+ // Try and get more detail on the error from the SSL
 61+ // error queue. ERR_error_string requires a char buffer
 62+ // of 120 bytes.
 63+ unsigned long err_detail = ERR_get_error();
 64+ char err_msg[120];
 65+ ERR_error_string(err_detail, err_msg);
 66+
 67+ LOG("{client} Unexpected SSL error (in handshake): %d, %s\n", err, err_msg);
 68 shutdown_proxy(ps, SHUTDOWN_SSL);
 69 }
 70 }
 71@@ -1751,24 +1774,16 @@ void daemonize () {
39 exit(0); 72 exit(0);
40 } 73 }
41  74
42- /* close standard streams */ 75- /* close standard streams */
43- fclose(stdin); 76- fclose(stdin);
44- fclose(stdout); 77- fclose(stdout);
45- fclose(stderr); 78- fclose(stderr);
46- 79-
47 /* reopen standard streams to null device */ 80 /* reopen standard streams to null device */
48- stdin = fopen(NULL_DEV, "r"); 81- stdin = fopen(NULL_DEV, "r");
49- if (stdin == NULL) { 82- if (stdin == NULL) {
50+ if (freopen(NULL_DEV, "r", stdin) == NULL) { 83+ if (freopen(NULL_DEV, "r", stdin) == NULL) {
51 ERR("Unable to reopen stdin to %s: %s\n", NULL_DEV, strerror(errno)); 84 ERR("Unable to reopen stdin to %s: %s\n", NULL_DEV, strerror(errno));